The Good, the Bad and the Ugly in Cybersecurity – Week 36

The Good

This week, the United Kingdom announced plans to roll out a new security framework to protect telecoms networks from cyberattacks. The framework’s regulations and best practices are the result of last year’s Telecommunications (Security) Act, developed with the UK’s National Cyber Security Centre, and a 10-week long public consultation.

The new framework, which will begin rolling out next month, requires telecommunications providers to identify and assess the risk to any “edge” equipment that could be directly exposed to potential attackers. This includes tightly regulating who is allowed to make network-wide changes, protecting networks from malicious signals, being aware of their network security risks, and ensuring their business processes are in line with good security practices. Providers are required to meet these guidelines within the next two years, or face fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 (approx. $116,000 USD) per day.

This new framework is a positive step towards bolstering the UK’s telecoms security regulations. As various industries continue to digitize their operations, it’s an encouraging sign that legislators are taking the risks that threat actors pose seriously, and implementing cyber hygiene requirements to secure sensitive data for individuals and organizations alike.

The Bad

According to recent reports, the threat actors behind Nitrokod, a cryptocurrency mining trojan, are disguising their malware as software from legitimate developers like Google. Nitrokod works by disguising itself as a clean Windows application, and then executes code to mine the cryptocurrency Monero days or weeks after a user downloads the app.

The scary part? Post-download, the applications appear to be fully functional but are actually loaded with mining malware. Nitrokod’s developers were found to be using Chromium-based frameworks to provide the functionality that the application claims to have. For example, researchers broke down how “the Google translate desktop application is converted from the Google Translate web page using the CEF (Chromium Embedded Framework) project. This gives the attackers the ability to spread functional programs without having to develop them.”

Since their emergence in 2019, Nitrokod’s developers may have infected thousands of systems across eleven countries. Over the past three years, they have distributed cryptomining malware on free software download sites like Softpedia, claiming to be desktop versions of popular online services such as Google Translate, Microsoft Translator Desktop, and MP3 downloader programs.

The threat actors’ disguises have been scarily effective; Nitrokod’s Google Translate app has been downloaded more than 112,000 times since December 2019 on Softpedia alone. Researchers are also warning the public that Nitrokod can evade detection with multi-stage infection campaigns that can continue for years.

Unfortunately, we live in a time where it’s incredibly easy to fall for malware masquerading as a useful application from a legitimate developer. This week, SentinelLabs reported on a novel threat actor called JuiceLedger that has been spreading infostealer malware through fraudulent applications.

The Ugly

Calling all Okta and Authy SMS users: your one-time passwords (OTPs) may be at risk. In the aftermath of a breach involving the cloud communications company Twilio, Okta disclosed that a threat actor dubbed “Scatter Swine” may have accessed sensitive information.

Before this breach, the popular identity and access management (IAM) company used Twilio to serve customers that authenticated their sign-ins through SMS. Okta noted in their threat response summary that they changed providers once details of the breach emerged. However, the investigation found that Scatter Swine actively searched for Okta customer data, including phone numbers and OTP codes.

Okta’s findings show that the threat actor was targeting a specific organization. During the Twilio intrusion, Scatter Swine used previously stolen credentials to trigger SMS-based MFA challenges and searched Twilio’s administrative portal for 38 phone numbers associated with Okta and the affiliated OTPs. During the search, Twilio’s console returned 50 of the most recent messages delivered through Okta’s Twilio account. Earlier this week, Twilio also confirmed that the threat actor successfully accessed Authy 2FA accounts and temporary OTPs.

Okta’s security team also believes Scatter Swine is the same threat actor responsible for multiple phishing campaigns against various technology firms, including the infamous 0ktapus phishing campaign and stealing nearly 1,000 sets of credentials.

The fallout of the Twilio breach demonstrates the devastating consequences that a supply chain attack can have. With attacks like this ramping up, it’s all the more vital for enterprise security teams to ensure their security stack is up-to-date, and to mitigate their cybersecurity risks before threat actors can find an opening to leverage.